Wednesday, September 28, 2011

The 2nd edition of Inside Cyber Warfare: Mapping The Cyber Underworld will contain 4 new chapters plus a new Forward by former DHS Secretary Michael Chertoff and an Afterward by Professor Catherine Lotrionte of Georgetown University. One of those chapters is entitled "Cyber Warfare Capabilities By Nation State". For those of you who can't wait for the 2nd edition to come out, here are the 27 28* States:

Australia

Brazil

Canada

Czech Republic

Democratic People's Republic of Korea

Estonia

France

Germany

India

Iran

Israel

Italy

Kenya

Myanmar

Netherlands

Nigeria

Pakistan

Peoples Republic of China

Poland

Republic of China (Taiwan)

Republic of Korea

Russian Federation

Singapore

South Africa

Sweden

Turkey

United Kingdom

United States*

This is not a complete list, but it's a start. We may roll it over into an up-datable website and add the states that we missed for the book (e.g., all of the members of the Commonwealth of Independent States, additional states from Africa and South America, etc.)

* UPDATE: (29 Sep 2011) I left the U.S. off the original list because it's covered under one of the other new chapters! Sorry, everyone. :-D

Tuesday, September 27, 2011

Today's Washington Post article "In China, Business travelers take extreme precautions to avoid cyberespionage" barely cracks the surface of what occurs in China and other nation states who engage in cyber-espionage. I founded a company on that very premise in 2010 and am still amazed at how easily state actors can obtain exactly what they want from visiting C-level executives without anyone knowing it. In fact, I've had this very conversation with Joel Brenner just recently (Brenner is extensively quoted in the WaPo article).

I was astounded to read Siobhan Gorman's WSJ article that the U.S. Dept of State's approach to cybersecurity (iPost) is so innovative that very well-known cybersecurity firms are requesting their source code. State is a well-known bureaucratic sinkhole but they appear to be paying attention to improving their cybersecurity issues; at least as far as known threats and vulnerabilities go. And that's the rub.

No one should be compromised through a known vulnerability, yet it happens all the time; especially SQL injection attacks (InfraGuard, INSA, Sony, etc.). So while known threats are still a problem, they shouldn't be. And iPost does nothing to protect from the real problem - customized attacks which are specifically built to compromise a targeted network. That's the real risk; not only to State but government agencies all over the world. So when John Streufert, State's CISO says something like this - "We know anywhere in the world what our risk is", then I have serious doubts about State's understanding of risk management. Risk isn't about what you know. Risk is about what you don't know. And iPost, like many other so-called cybersecurity solutions, does absolutely nothing about addressing that problem.

Thursday, September 22, 2011

The International Code of Conduct for Information Security proposed to the U.N. Secretary General by Russia, China, Tajikistan and Uzbekistan superficially sounds great but contains some critical flaws in its language. My recommendation is that the U.S. and its allies reject it. Here's why:

1. It does not support the most effective strategy we have in combatting cyber attacks: international cross-border law enforcement. Instead, in sections 1 and 5 it strongly supports territorial integrity and the sovereign right of States to protect their own Information space.

2. It only supports international cooperation when there's a threat to its power base by dissident political extremists or terrorists (section 3). Both Russia and China have been monitoring the "Arab Spring" in the Middle East and Northern Africa with great concern and are implementing national policies which arm their own security services with tools to detect and prevent a similar occurrence within their own borders.

3. Section 6 allows it to continue national policies related to censorship while at the same time promoting the freedom to search, acquire, and disseminate information. While there's universal consensus that some topics are so egregious that they should be illegal (e.g., child pornography), China's Great Firewall goes far beyond that.

4. Nowhere does this document address the activity that favors the Russian Federation and Peoples Republic of China the most - cyber espionage. It does, however, specifically ban the proliferation of "Information weapons and related technologies", which is nothing short of hypocritical since both the RF and PRC are actively involved in standing up their own IW commands similar to US CYBERCOM.

In my opinion, this document is a red herring and is part of an overall strategy of mis-direction by China, Russia and the two former states of the Soviet Union. I hope that U.N. member states and relevant international organizations will read it with a critical eye and not embrace it without conducting an informed debate on what it does and doesn't actually say.

Tuesday, September 13, 2011

Yesterday, I wrote about a little-reported story of how Huawei is under investigation by Chinese authorities for allegedly abusing its employees' stock purchasing program to effectively generate bank loans without having to report them to the government. My post surprised Huawei US VP for Government Affairs William Plummer who wasn't aware of the scandal but in a private email to me, Mr. Plummer expressed skepticism on the accuracy of the report. Consequently I've tasked some of Taia Global's China experts (all native speakers) to take a deeper look at Huawei's employee incentive plan and how it impacts the company's debt ratio, which depending upon the math involved could go as high as 82% rather than the very low 61% figure provided in Mr. Plummer's Huawei Overview .ppt deck.

Taia Global's Report on Huawei's Bank Loan controversy

Internal financing has been part of Huawei’s employee incentive plan since the 1990s, but this program has become an indirect method for Huawei to borrow money from banks. According to a blog on Tianya, an online community for Chinese overseas, before 2007, the amount of internal stock allocated to each employee was based on the number of years the employee had served and the economic contribution the employee had made in the corresponding year.

Internal stock was one of the three key benefits for employees, in addition to salary and stock dividends. In recent years, each employee was allowed to purchase a higher proportion of internal stock shares with 15% down payment, and the remainder was paid via bank loans borrowed at a 6% interest rate in the name of the employee, who must pay back at least 20% of the loan’s net value each year. The down payment ratio was increased to 40% in 2010. Although dividends were high, most were used to pay back loans for internal stock purchase. If an employee left Huawei, the employee would only sell the stock share at the original purchase price, with no capital gain for such an internal investment.

Huawei’s approach (which has been in place since at least 2000 and perhaps earlier) has two consequences. First, Huawei, as the company entity, received borrowed money in its employees’ names and avoided having to identify it as debt on their balance sheet, which enabled the company to polish its financial performance. A Chinese blogger –Kuai Dao Hong Qi, whose real name is Chen Hui Min陈惠民, an influential media professional – listed financial data from Huawei’s financial statement from 2008 to 2010. According to his blog, in 2010, the debt ratio (debt in 105.6 billion yuan/ assets in 160.8 billion yuan) of Huawei was 66%, a little lower than 70%, the financial warning line. If Huawei added back 11.4 billion yuan, the accumulated borrowed money through this employee incentive plan, the debt ratio would be 68% (adjust debt in 117 billion yuan/adjusted assets in 172.2 billion yuan).

Second, this plan is very risky for employees. In order to receive more dividends in the future, employees borrowed money to buy stock shares and then used received dividends to pay back loans, so they were giving up short-term benefits in pursuit of long-term rewards. Their assumption is that Huawei will maintain high growth rates as they have had historically, which is not easy due to slow market expansion and high research expenses for exploring new business sectors.

Another potential and well-hidden problem about Huawei’s financial performance is the accelerated recognition of sales revenue. By 2010, Huawei had sold its account receivables of 84 billion yuan in total to banks so the company could recognize revenue quickly. However, Huawei is still liable for sustaining losses if banks fail to collect money back from Huawei’s clients. According to both Chinese and American accounting standards, this is a type of contingency and should be classified as debt. If Huawei also followed this rule, its adjusted debt ratio in 2010 would be 82%, much higher than the warning line of 70%.

No Chinese official media reports on Huawei’s financial issues, although some information can be found online. Meanwhile, according to a person working in Huawei, the employee incentive plan was approved by the Guangdong government, so most people inside Huawei do not think it is risky.

Wednesday, September 7, 2011

According to this article in the Philippine Star, the China Audit Commission and the China Banking Regulatory Commission ordered four banks to withdraw their loans to Huawei employees after discovering that the company forced employees to take loans in order to buy Huawei shares. By doing this, Huawei's leadership was able to bypass laws requiring that such fund raising be publicly listed and supervised by the government. The benefit to Huawei was that this practice, rumored to have been going on for four years, would show the illusion of financial strength thus enabling it to secure larger credit lines with better terms. Larger credit lines also helps the company beat it's competitors by offering rock-bottom prices on its hardware that no one else can afford to match; the most recent example being the sale of Huawei-Symantec hardware to the University of Tennessee Sim Center.

This story was also covered in China Business Daily, which states that wrong-doing on the part of Huawei may include the fabrication of contracts. Earlier this year, Huawei was involved in a bribery scandal in Austria. In spite of the past government affiliations of two of two its senior leaders, and these allegations of financial wrong-doing, Huawei has managed to hire John Suffolk the former CIO for the British government and John Bellinger, former chief attorney at the U.S. State Department. Then there's William Plummer - Huawei's mouthpiece on Capital Hill who claims that any ties between Huawei and the Chinese government are either invented by its critics or stem from a mistake in a 2001 Wall Street Journal Asia article.

Finally, and worst of all in my opinion, is the fact that Symantec's board of directors had approved forming a joint venture with Huawei in 2008 and remains eager to increase their profit margins with a possible IPO this year. How can anybody take Symantec seriously when it sells security solutions to companies being attacked by China (among other states) while at the same is in bed with a company so closely allied with the Chinese government?